Re: ACROS Security: HTML Injection in BEA WebLogic Server Console (2)
ACROS Security wrote:
> =====[BEGIN-ACROS-REPORT]=====
>
> PUBLIC
>
> =========================================================================
> ACROS Security Problem Report #2005-05-24-2
> -------------------------------------------------------------------------
> ASPR #2005-05-24-2: HTML Injection in BEA WebLogic Server Console (2)
> =========================================================================
>
> Document ID: ASPR #2005-05-24-2-PUB
> Vendor: BEA Systems (http://www.bea.com)
> Target: WebLogic Server and WebLogic Express, Service Pack 4
> Impact: An HTML injection vulnerability exists in WebLogic
> Server Console, enabling attackers to hijack
> administrative sessions using cross site scripting
> Severity: High
> Status: Official patch available, workarounds available
> Discovered by: Mitja Kolsek of ACROS Security
>
> Current version
> http://www.acrossecurity.com/aspr/ASPR-2005-05-24-2-PUB.txt
>
>
> Summary
> =======
>
> There is a vulnerability in WebLogic Server Console login page that
> allows the attacker to assume administrator's identity and thus gain
> administrative access to Server Console. It is possible to inject
> malicious JavaScript in the login page so that when administrator logs in,
> his username and password are silently transmitted to attacker's web
> server.
>
>
> Product Coverage
> ================
>
> - WebLogic Server 8.1, Service Pack 4 - affected
> - WebLogic Server 7.0, Service Pack 2 - not affected
> - WebLogic Express 7.0, Service Pack 6 - affected
>
> Older versions are likely to be affected as well.
>
>
> Analysis
> ========
>
> Cross site scripting is a very common problem with web-based applications.
> Basically it is present whenever the server is willing to include user's
> input data, which contains some client-side script (e.g. JavaScript), back
> to the browser unsanitized, somewhere within the generated web page. This
> script, when executed, has access to all information within and about the
> received web page, including the cookies.
>
> The main differentiator of this particular vulnerability is that the
> attacker need not trick the administrator into visiting a malicious web
> site while being in an administrative session. Furthermore, in contrast to
> other cross-site scripting vulnerabilities, this vulnerability allows the
> attacker to also obtain administrator's username and password - and not
> "only" his session identifier (ADMINCONSOLESESSION).
>
>
> Solution
> ========
>
> BEA Systems has issued a security bulletin [1] and published a patch
> which fixes this issue.
>
>
> Workaround
> ==========
>
> - Always close all browser instances/windows and delete all cookies before
> logging in to WebLogic Server Console.
>
>
> References
> ==========
>
> [1] BEA Systems Security Advisory BEA05-80.00
> http://dev2dev.bea.com/pub/advisory/130
>
>
> Acknowledgments
> ===============
>
> We would like to acknowledge Gordon Engel of BEA Systems for extremely
> diligent and professional handling of the identified vulnerability.
>
>
> Contact
> =======
>
> ACROS d.o.o.
> Makedonska ulica 113
> SI - 2000 Maribor
>
> e-mail: security@xxxxxxxxxxxxxxxxx
> web: http://www.acrossecurity.com
> phone: +386 2 3000 280
> fax: +386 2 3000 282
>
> ACROS Security PGP Key
> http://www.acrossecurity.com/pgpkey.asc
> [Fingerprint: FE9E 0CFB CE41 36B0 4720 C4F1 38A3 F7DD]
>
> ACROS Security Advisories
> http://www.acrossecurity.com/advisories.htm
>
> ACROS Security Papers
> http://www.acrossecurity.com/papers.htm
>
> ASPR Notification and Publishing Policy
> http://www.acrossecurity.com/asprNotificationAndPublishingPolicy.htm
>
>
> Disclaimer
> ==========
>
> The content of this report is purely informational and meant only for the
> purpose of education and protection. ACROS d.o.o. shall in no event be
> liable for any damage whatsoever, direct or implied, arising from use or
> spread of this information. All identifiers (hostnames, IP addresses,
> company names, individual names etc.) used in examples and demonstrations
> are used only for explanatory purposes and have no connection with any
> real host, company or individual. In no event should it be assumed that
> use of these names means specific hosts, companies or individuals are
> vulnerable to any attacks nor does it mean that they consent to being used
> in any vulnerability tests. The use of information in this report is
> entirely at user's risk.
>
>
> Revision History
> ================
>
> May 24, 2005: Initial release
>
>
> Copyright
> =========
>
> (c) 2005 ACROS d.o.o. Forwarding and publishing of this document is
> permitted providing the content between "[BEGIN-ACROS-REPORT]" and
> "[END-ACROS-REPORT]" marks remains unchanged.
>
> =====[END-ACROS-REPORT]=====
To exploit this an admin user still needs to click on a link to a URL
right? or is the malicious javascript inserted into the login page via
http splitting?